Sunday, November 15, 2009

There are times when running multiple sshd daemons makes sense. One of those times is when you have a server that has both a public/external interface and an private/internal interface. A LTSP server is a perfect example of this.

LTSP servers typically have an internal network that the thin clients are on and an external network that connects to the Internet. Often, the internal users are not using strong passphrases and allowing direct ssh connection from the Internet would put you system at risk.

The solution is to split up the sshd configuration by interface so you can use more secure settings for the public interface.

In this setup I also create a sshd daemon for localhost (127.0.0.1) as it is used for NOMACHINE's nxServer and client.

Setup

Create custom files:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_internal

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_localhost

cp /etc/init.d/ssh cp /etc/init.d/ssh_internal

cp /etc/init.d/ssh cp /etc/init.d/ssh_localhost

cp /etc/default/ssh /etc/default/ssh_internal

cp /etc/default/ssh /etc/default/ssh_localhost

cp /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_internal_rsa_key

cp /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_localhost_rsa_key

cp /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_internal_dsa_key

cp /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_localhost_dsa_key

Minimal Config File Changes

These minimum changes are required to simply make the three daemons configuration different enough to run. Later you can make modifications to increase the security of the public interface.

Edit /etc/ssh/sshd_config

Edit ListenAddress to make it the ip address of the public interface

AddPidFile /var/run/sshd.pid

Edit /etc/ssh/sshd_config_internal

Edit ListenAddress to make it the ip address of the private interface

AddPidFile /var/run/sshd_internal.pid

Edit HostKey /etc/ssh/ssh_host_internal_rsa_key

Edit HostKey /etc/ssh/ssh_host_internal_dsa_key

Edit /etc/ssh/sshd_config_localhost

Edit ListenAddress to make it 127.0.0.1

AddPidFile /var/run/sshd_localhost.pid

Edit HostKey /etc/ssh/ssh_host_localhost_rsa_key

Edit HostKey /etc/ssh/ssh_host_localhost_dsa_key

Init Script Changes

Here, it is easier to modify one of the scripts first and then do a search and replace to create the second script but I will show all the changes: